Kaspersky Threat Intelligence Portal enables you to search for information about web addresses.
General information about web address
Kaspersky Threat Intelligence Portal provides the following general information about web addresses.
General information about web address
Field name |
Description |
|---|---|
Status |
Shows whether the requested web address can be classified as malicious, good, or not categorized. The web address can have one of the following statuses: Good—Web address is not malicious. No threats detected—Web address was scanned and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section. Dangerous—There are malicious objects related to the web address. Adware and other—There are objects related to the web address, which can be classified as Not-a-virus. Not trusted—Web address is categorized as Infected or Compromised. Not categorized—No or not enough information about the web address is available to define the category. |
IPv4 count |
Number of known IP addresses related to the requested web address. |
File count |
Number of known malicious / all files. |
Created |
Web address creation date. |
Expires |
Web address expiration date. |
Domain |
Name of the upper-level domain. |
Registration organization |
Name of the registration organization. |
Registrar name |
Name of the domain name registrar. |
Categories |
Categories of the requested web address. If the web address does not belong to any defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you have a valid commercial license for the corresponding service and the requested web address is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested web address. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
Graphical information about web address
A timeline shows detection statistics for certain historical periods. The changes in the zone of a categorized object are displayed for two months (by default) or two years. The timeline is generated only when the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about web address
Kaspersky Threat Intelligence Portal provides additional information, displayed in separate tables, about the web address that is being investigated. You can export data from these tables as separate archives.
Additional information about web address
Table name |
Description |
Table fields |
Comments |
|---|---|---|---|
WHOIS |
WHOIS information about domain for the requested we address. |
Contact—Contact type (person or organization). Name—Contact name. Role—Role of a contact (for example, owner). Address—Postal address that is registered for the IP address. Phone / Fax—Phone/fax number of a contact. Email—Email address of a contact. |
— |
DNS resolutions for domain |
IP addresses that the domain for the requested web address resolves to. |
Status—Status of IP addresses that the domain for the requested web address resolves to. Threat score—Probability that the requested IP address will be dangerous (0 to 100). Hits—Number of IP address detections by Kaspersky expert systems. IP—IP addresses. Items are clickable and take you to the Threat Lookup page, where you can search for information about the IP address. The flag of the country to which the IP address belongs is displayed. When you hover your mouse over a flag, a tooltip with a country name appears. First resolved—Date and time when the domain for the requested web address first resolved to the IP address. Last resolved—Date and time when the domain for the requested web address last resolved to the IP address. Peak date—Date of maximum number of domain resolutions to the IP address. Daily peak—Maximum number of domain resolutions to the IP address per day. |
Items in the table are grouped by status. Items in each group are sorted by the Threat score field in descending order. |
Files downloaded from requested URL |
Objects that were downloaded from the requested web address. |
Status—Status of downloaded files. Hits—Number of file downloads from the requested web address as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last seen—Date and time when the file was last downloaded from the requested web address, according to your computer local time zone. First seen—Date and time when the file was first downloaded from the requested web address, according to your computer local time zone. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. |
Files that accessed requested URL |
MD5 hashes of files that accessed the requested web address. |
Status—Status of MD5 hashes of files that accessed the requested web address. Hits—Number of times the file accessed the requested web address. File MD5—MD5 hash of the file that accessed the requested web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last accessed—Date and time when the file last accessed the requested web address. First accessed—Date and time when the file first accessed the requested web address. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
— |
Referrals to requested URL |
Web addresses that refer to the requested web address. |
Status—Status of web addresses that refer to the requested web address. URL—Web address that refers to the requested web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested web address was last referred to. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
Requested object linked, forwarded, or redirected to the following URLs |
Requested object links, forwards, or redirects to following web addresses. |
Status—Status of web addresses that the requested object links, forwards, or redirects to. URL—Web address accessed by the requested web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested web address last linked, forwarded, or redirected to listed web addresses. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
URL masks |
Masks of the requested web address domain, which were detected by Kaspersky expert systems. If a mask is included in Threat Data Feeds, the feed names are also displayed. |
Status—Status of web addresses covered by the corresponding mask (Dangerous, Not trusted, or Adware and other). Type—Mask type. Mask—Mask related to the domain of the requested web address. Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the domain mask. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. Feeds—Threat Data Feeds that contain the domain mask of the requested web address. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data Feed, and Botnet CC URL Data Feed. If a mask is detected by Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is displayed. Each item in this list is clickable—you can click it to navigate to the corresponding Threat Data Feed on the Data Feeds page. |
— |
Spam attacks |
Information about spam attacks associated with the requested web address. |
Number of attacks—Number of spam attacks. |
— |
Phishing attacks |
Information about phishing attacks associated with the requested web address. |
Phishing status—Shows whether the requested web address can be considered as a phishing one. Number of attacks—Number of phishing attacks. Phishing kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack. Stolen data type—Type of data stolen during phishing attack, for example, user names, passwords. Attacked industry—Target industry of a phishing attack. Attacked organization—Target organization of a phishing attack. |
— |
Phishing attack statistics |
Graph showing the number of phishing attacks in the last six months. |
— |
— |